Skip to content

Commit

Permalink
qemu_test: don't apply patch for CVE-2016-9602
Browse files Browse the repository at this point in the history
Both patches are conflicting. Keeping the vulnerability unpatched in qemu
binaries used for nixos test is tolerable.

(cherry picked from commit 3a4e237)
fpletz committed Mar 11, 2017

Verified

This commit was signed with the committer’s verified signature. The key has expired.
fpletz Franz Pletz
1 parent 5bf6aa4 commit 067e66a
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions pkgs/applications/virtualization/qemu/default.nix
Original file line number Diff line number Diff line change
@@ -72,12 +72,6 @@ stdenv.mkDerivation rec {
"0lk19qss6ky7cqnvis54742cr2z0vl8c64chhch0kp6n83hray9x")

# security fixes from debian
(fetchurl {
name = "CVE-2016-9602.patch";
url = "https://anonscm.debian.org/cgit/pkg-qemu/qemu.git/plain/debian/patches/9pfs-symlink-attack-fixes-CVE-2016-9602.patch?h=debian/qemu_2.8%2bdfsg-3";
sha256 = "0f7m1k3hbw9v0dwqn53ds36s7s334vlidvbn0682s9r2sq0sjlkv";
})

(fetchurl {
name = "CVE-2017-2630.patch";
url = "https://anonscm.debian.org/cgit/pkg-qemu/qemu.git/plain/debian/patches/nbd_client-fix-drop_sync-CVE-2017-2630.patch?h=debian/qemu_2.8%2bdfsg-3";
@@ -136,7 +130,13 @@ stdenv.mkDerivation rec {
(upstreamPatch "CVE-2017-5987" "6e86d90352adf6cb08295255220295cf23c4286e"
"09yfxf93cisx8rhm0h48ib1ibwfs420k5pqpz8dnz33nci9567jm")

] ++ optional nixosTestRunner ./force-uid0-on-9p.patch;
] ++ (if nixosTestRunner then [ ./force-uid0-on-9p.patch ] else [
(fetchurl {
name = "CVE-2016-9602.patch";
url = "https://anonscm.debian.org/cgit/pkg-qemu/qemu.git/plain/debian/patches/9pfs-symlink-attack-fixes-CVE-2016-9602.patch?h=debian/qemu_2.8%2bdfsg-3";
sha256 = "0f7m1k3hbw9v0dwqn53ds36s7s334vlidvbn0682s9r2sq0sjlkv";
})
]);

hardeningDisable = [ "stackprotector" ];

0 comments on commit 067e66a

Please sign in to comment.